Feds to test security of transactions

By Brad Bass, Heather Harreld

Mar 02, 1997

The General Services Administration this month kicks off a year-long test of an encryption project that it hopes will eventually allow participants to conduct secure transactions with the government from personal computers or public kiosks.

In its first series of applications the Federal Security Infrastructure Program (FSIP) will include 2 000 computer users from six agencies. The pilot project will protect vendors' electronic bids on the agency's Post-FTS 2000 and Federal Acquisition Services for Technology (FAST) program which GSA uses to match agencies' information technology needs with vendors said GSA program manager Stanley Choffrey. FSIP also will secure vendors' responses to synopses published in the Commerce Business Daily.

In addition users from the interagency National Security Telecommunications and Information Systems Security Committee (NSTISSC) will use the infrastructure to encrypt "virtual meeting" sessions.

"This is a new technology and we've got a lot to learn " Choffrey said. "Hopefully we will have learned enough after six to eight months of the pilot that we will have an operational infrastructure in place that agencies can continue using."

Bidders on Post-FTS 2000 contracts will be required to submit bids via FSIP said David Cleveland deputy assistant commissioner for service development at GSA's Federal Telecommunications Service. "We want to receive proposals in the electronic medium and the FSIP appears to be a way to do that " he said. "I expect we will probably request a paper copy as well."

Besides GSA's Post-FTS 2000 and FAST program offices and the NSTISSC organizations participating in the project include the Federal Transit Administration and the Office of Motor Carriers at the Transportation Department and the Government Printing Office. The pilot will be expanded to about 10 000 users by the end of the year.

Choffrey said the infrastructure will be based on hardware-token technology generally accepted as more secure than software-based solutions.

To participate in FSIP users are required to provide two forms of identification to the U.S. Postal Service which is acting as the project's "certification authority." The authority will then provide a hardware token resembling a 3.5-inch floppy diskette which will contain a certificate identifying the user and a public/private key pair unique to the user. The token will allow users to access a secure server verify each other's identity and establish an encrypted connection.

Atalla Corp. a company specializing in high-performance cryptographic proc-essing technology will provide its WebSafe2 cryptographic hardware module. WebSafe2 which accepts transactions from any browser will bridge the gap between public-network keys used mostly by the private sector and private-network keys used extensively in the government.

Larry Hines director of technical support for Atalla said the GSA project is one of the most innovative security test beds because while many entities are mainly concerned with protecting sensitive data from outside intruders FSIP protects communications throughout the transmittal process to also guard against internal threats such as disgruntled employees.

The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.